etcd data in CoreWeave Kubernetes Service (CKS) clusters using a KMS-backed setup. For new CKS clusters created after June 24, 2025, this feature is enabled by default and requires no action from you.
For existing CKS clusters created on or before June 24, 2025, you must rotate your existing Kubernetes Secrets once. After that, CoreWeave handles the lifecycle for you.
etcd by default.
You typically configure encryption at rest manually using a Key Management Service (KMS) provider.
With CKS, CoreWeave sets up and maintains this for you automatically.
Rotate Secrets in existing clusters
If your CKS cluster was created before June 24, 2025, your existing Secrets might not yet be encrypted. To ensure full encryption coverage, replace the existing Secrets once. Going forward, CoreWeave encrypts any new Secrets you create automatically. The following command rotates your Secrets in place by replacing each existing Secret with itself, which triggers the KMS provider to encrypt them:etcd alongside any new Secrets you create.